CVE-2025-43860
📋 TL;DR
OpenEMR versions before 7.0.3.4 have a stored XSS vulnerability where authenticated users with patient editing privileges can inject malicious JavaScript into address fields. This allows attackers to execute arbitrary code in victims' browsers when they view or edit patient data. All OpenEMR installations with vulnerable versions are affected.
💻 Affected Systems
- OpenEMR
📦 What is this software?
Openemr by Open Emr
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal healthcare provider credentials, access sensitive patient data, modify medical records, or pivot to other systems within the network.
Likely Case
Attackers with legitimate patient editing access could create persistent phishing pages, steal session cookies, or deface patient records.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once access is obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0.3.4
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-2h9p-7vmc-wmqv
Restart Required: Yes
Instructions:
1. Backup your OpenEMR installation and database
2. Download OpenEMR 7.0.3.4 or newer from official repository
3. Replace vulnerable files with patched versions
4. Restart web server services
5. Verify functionality
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize address field inputs
Modify patient demographics processing scripts to strip/escape HTML/JavaScript from address fields
Output Encoding
allApply proper output encoding when displaying address field data
Implement HTML entity encoding for all user-controlled data displayed in web interface
🧯 If You Can't Patch
- Restrict patient creation/editing privileges to only essential personnel
- Implement web application firewall (WAF) rules to block XSS payloads in address fields
🔍 How to Verify
Check if Vulnerable:
Check OpenEMR version in admin interface or by examining source files for version markersCheck Version:
Check /sites/default/sqlconf.php or admin interface for version numberVerify Fix Applied:
Test address fields with basic XSS payloads like <script>alert('test')</script> and verify they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript patterns in address field submissions
- Multiple failed XSS attempts in web server logs
- Suspicious patient record modifications
Network Indicators:
- HTTP requests containing script tags in address field parameters
- Unusual outbound connections from OpenEMR server
SIEM Query:
web.url:*patient* AND (web.param:*<script* OR web.param:*javascript:* OR web.param:*onload=*)